GOV-05: Maintain Group Naming Conventions
Overview
Consistent naming conventions improve governance, make groups easier to find, and indicate their purpose at a glance. Random or inconsistent group names suggest poor organizational hygiene and make administration harder.
This control assesses whether your Microsoft Entra ID groups follow a consistent, detectable naming pattern. TrueConfig checks that at least 70% of groups use a recognizable convention such as a standard prefix (e.g., PREFIX-Name or PREFIX_Name) or a consistent casing style (e.g., CamelCase). Groups that do not match any detectable pattern lower the score.
The expected state for this control is:
- Groups follow a consistent naming convention pattern.
- At least 70% of groups use a detectable pattern (e.g., PREFIX-Name, PREFIX_Name, CamelCase).
- Naming patterns improve group organization and discoverability.
This is an advisory, manual-only control. TrueConfig detects adherence; renaming non-compliant groups must be done by an administrator. No license beyond any Entra ID tier is required to assess naming adherence.
Prerequisites
Required Roles
- Global Administrator - Full configuration access
- Groups Administrator - Can rename and manage groups
Required Licenses
- None -- assessing and correcting group naming requires no additional license beyond any Entra ID tier. Note: configuring an automated Entra ID group naming policy (an optional enforcement tool described in Step 2) requires Microsoft Entra ID P1.
Time Estimate
| Task | Duration |
|---|---|
| Audit current group names | 30-60 minutes |
| Define naming convention | 1-2 hours |
| Rename non-compliant groups | Varies by volume |
| Configure optional naming policy | 30 minutes |
| Initial Setup Total | 2-4 hours plus remediation |
Step-by-Step Instructions
Step 1: Decide on a Group Naming Convention
Before remediating non-compliant groups, document a clear standard. Common patterns that TrueConfig can detect include:
| Group Type | Prefix | Format | Example |
|---|---|---|---|
| Security Groups | SEC- | SEC-[Dept]-[Function] | SEC-Finance-ReadOnly |
| Distribution Lists | DL- | DL-[Dept or Team] | DL-Marketing |
| Microsoft 365 Groups | M365- | M365-[Project/Team] | M365-ProjectAlpha |
| Dynamic Groups | DYN- | DYN-[Criteria] | DYN-AllEmployees |
| Role Groups | ROLE- | ROLE-[RoleName] | ROLE-HelpDeskAgents |
Choose one consistent delimiter (hyphen or underscore) and apply it uniformly. Document exceptions (e.g., legacy groups that cannot be renamed) to avoid repeated audit findings.
Step 2: Audit Current Group Compliance
Run the following script to identify groups that do not match your chosen patterns:
Connect-MgGraph -Scopes "Group.Read.All"
# Define the naming patterns your organization uses
$validPatterns = @(
"^SEC-",
"^DL-",
"^M365-",
"^DYN-",
"^ROLE-"
)
# Get all groups
$groups = Get-MgGroup -All -Property DisplayName, Id, GroupTypes, CreatedDateTime
# Identify non-compliant groups
$nonCompliant = $groups | Where-Object {
$name = $_.DisplayName
$isCompliant = $false
foreach ($pattern in $validPatterns) {
if ($name -match $pattern) {
$isCompliant = $true
break
}
}
-not $isCompliant
}
$total = $groups.Count
$compliant = $total - $nonCompliant.Count
$pct = if ($total -gt 0) { [math]::Round(($compliant / $total) * 100, 1) } else { 0 }
Write-Host "Total groups: $total"
Write-Host "Compliant groups: $compliant ($pct%)"
Write-Host "Non-compliant groups: $($nonCompliant.Count)"
# Export for remediation
$nonCompliant | Select-Object DisplayName, Id, GroupTypes, CreatedDateTime |
Export-Csv "non-compliant-groups.csv" -NoTypeInformation
The TrueConfig threshold is 70%. If the compliance percentage is below 70%, this control will be flagged.
Step 3: Rename Non-Compliant Groups
For each group in the export, rename it to follow your convention:
# Rename a Microsoft 365 group or security group
Update-MgGroup -GroupId "<GroupId>" -DisplayName "SEC-Finance-ReadOnly"
Notes:
- Microsoft Teams names are tied to their underlying Microsoft 365 group. Renaming the group also renames the Team, which notifies members.
- Some legacy groups or system-created groups cannot be renamed. Document these as exceptions.
- Distribute the remediation across a change window for large group inventories to avoid notification fatigue.
Step 4: Configure the Entra ID Group Naming Policy (Optional, Requires P1)
If your organization holds Microsoft Entra ID P1 licenses, you can configure a naming policy to enforce prefixes and block reserved words on new group creation. This is an optional enforcement mechanism; it does not affect the detection threshold for this control.
- Navigate to Microsoft Entra admin center: https://entra.microsoft.com
- Go to Identity > Groups > All groups
- Click Naming policy in the left navigation.
Configure Prefixes and Suffixes
- Under Group naming policy, click Add prefix or Add suffix.
- Choose String for a fixed prefix (e.g., "SEC-") or Attribute for a dynamic value.
- Click Save.
Configure Blocked Words
- Under Blocked words, download the template, add reserved words (e.g., admin, root, test), and upload the file.
- Click Save.
Note: Global Administrators are exempt from naming policies by default. Test with a non-admin account to verify enforcement.
Step 5: Restrict Group Creation to Reduce Future Non-Compliance
Limiting who can create groups reduces the rate at which non-compliant names are introduced:
- Navigate to Identity > Groups > General settings.
- Under Self-service group management, set Restrict group creation to a specific group to Yes.
- Select a security group containing approved group creators (typically IT staff or department admins).
Connect-MgGraph -Scopes "Group.ReadWrite.All"
$groupParams = @{
DisplayName = "SEC-Allowed-Group-Creators"
Description = "Members can create Microsoft 365 groups"
MailEnabled = $false
SecurityEnabled = $true
MailNickname = "AllowedGroupCreators"
}
New-MgGroup @groupParams
Verification Checklist
After addressing group naming:
- Naming convention is documented and shared with administrators.
- At least 70% of groups follow the documented pattern (run the audit script to confirm).
- Non-compliant groups have been renamed or documented as approved exceptions.
- Optional: Entra ID group naming policy is configured to enforce prefixes on new groups (P1 required).
- Group creation is restricted to approved creators to prevent future drift.
Troubleshooting
Issue: Naming policy does not apply to group I just created
Cause: The creating user may be a Global Administrator, who is exempt by default.
Solution:
- Verify the policy is saved in Entra ID.
- Test with a non-admin user account.
- Wait up to 24 hours for policy propagation.
Issue: Compliance percentage is below 70% but most non-compliant groups are system-created
Cause: Microsoft creates some internal groups (e.g., "All Users", conference room groups) that do not follow custom naming patterns.
Solution:
- Export the non-compliant list and filter out system-managed groups (look for groups with no owner or created by Microsoft).
- Document these as approved exceptions in your naming convention policy.
- Focus remediation on administrator-created groups.
Issue: Renaming a Team caused confusion for members
Cause: Microsoft Teams notifies members when the underlying Microsoft 365 group is renamed.
Solution:
- Communicate renames in advance to affected team owners.
- Schedule renames during low-activity windows.
- Rename in batches with adequate notice periods.
Issue: Blocked word still appears in new group names
Cause: The blocked words file may not have uploaded correctly or contains encoding issues.
Solution:
- Download the current blocked words file and verify your entries are present.
- Check for encoding issues (use UTF-8).
- Re-upload the file and save the policy.
Related Controls
- GOV-01: Review Stale User Accounts (service account identification through naming)
- GOV-07: Admin account separation (admin account naming)
- PA-04: Require PIM for All Privileged Roles
Revision History
| Date | Version | Author | Changes |
|---|---|---|---|
| 2025-01-07 | 1.0 | TrueConfig | Initial release |